Authentication for social media clients

Jay

I’m trying to understand the right/best setup for authentication or at least identification when creating a Twitter or Reddit client.

To authorize an app to access your social account you request an access token and then save and use that token to authenticate calls on the user’s behalf like posting.

Now once I get that token and save it to the user record in xano, unless I also save it to the front end app or save the user record id, I can’t know which user record to use when making api calls.

I can see how it would make sense to use xano authentication as the token that connects the front and backends but the user doesn’t have or need a second layer account credentials like a username and password for the app I’m building. They just log in with their social account (on the social site’s page in a web view) and in fact they might log in with multiple accounts and switch between them regularly.

So if I don’t have or want to use a username and password to create a xano authentication, can I make one without those and how? Or should I be just saving the social access token as that key?

Thanks

Jay

Looks like you don't have to use the username and password in the creation of the auth token?

When using the Create Authentication Token function, is it self contained in terms of adding the token to the user id that was used in creating it? or do you need to add it to the user record with there returned variable? 

Lastly, if the token expires how and when would I replace/renew it? Even in normal setups with a username and password you won't just log out a user from the app every hour, so what am i missing?

Michael Udinski

The Authentication Token will need a user id to be assigned to it. The user ID is accessible through the auth token through the function stack with "auth ID". 

If you want additional user information in the token, you can use extras and pull that info through extras and dot notation: https://docs.xano.com/working-with-data/functions/utility-functions#create-authentication-token

If the token expires or is logged out (the token is forgotten by your front-end), the user must authenticate again. The expiration time is fully customizable. 

Michael Udinski

of course you don't have to use extras and can return the additional info as well. 

Jay

 I'll bring this one up in office hours as I still don't understand it

Michael Udinski

OK. Which part are you still grappling with?

Jay

 
1.  If I am building an SM client, what would i save to the front end? Their access token or just a xano auth token anyway?
2. If I use an auth token, and I don't have a username and password, how do I identify the user from the front end and how do I authenticate it?
3. How would I handle expiration in the SM client case? Maybe this is answered by answering the previous question.
4. Does "Create Authentication Token" autosave it to the id you used within the function or do I still need to save it to the user record somehow in the next line? or am I misunderstanding what the token is or how it works/where it is saved?